Securing Tomcat

iDashboards is not in the business of system security. However, we do want to help with some of the best practices we have found. By no means does this insure the security of your system. This should help mitigate some of the risks. All scans should be done on a system with valid SSL certificate on the system not a self signed cert.

Security Testing:

All security scans should be performed on the most current version of iDashboards. When running the scan please turn the system log level to 'Debug (most Verbose)'. You can do this by going into ../iDashboards/admin click on the 'System' tab then 'System Logs' and look for the 'General Level' drop down.

Tomcat/conf/Server.xml

Add server="IDBP"

Removes the Tomcat server version issues if a missing page is requested. Also adding a 404 page will help but it's recommended using both.

This setting indicates whether or not iDashboards passwords can be stored by the browser and automatically supplied by the browser upon logging into the browser-based iDashboards applications.

To turn this off go into the Admin page -> System -> Sitting Category select Security Settings -> Allow Auto-Completion of Passwords = False. Buy default the option is set to True and a lot of security Scan appliations do not like this option so if you are planning on running a security scan please turn this setting off.

Cookies not sent over SSL: useHttpOnly=”true”

The session and SSO cookies in Tomcat are being sent with HttpOnly flag by default, to instruct browsers to prevent access to those cookies from JavaScript. This is considered more secure, but it will prevent Java Scripts from accessing the value of the cookie. This feature can be controlled by useHttpOnly attribute on the Context element. (This feature is also implemented in latest versions of Tomcat 6.0 and greater but is off by default. It can be enabled by setting useHttpOnly=“true” on Context element in a web application or in the global CATALINA_BASE/conf/context.xml file).

Reference:

User Application can be framed by another web page. To disallow this go under the Admin page to system -> security settings. You will see two options by default they are set as follows.

User Application X-Frame-Options Header = None

HTML Viewer X-Frame-Options Header = None

Admin Application X-Frame-Options Header = Deny

Set all to DENY to prevent framing of iDashboards.

Tomcat Manager

Removing tomcat manager will prevent anyone from trying to login to this application. By default there is no password and username to login but brute force attaches can strain the system resources and cause slow running dashboards.

What this does is anyone hitting the root directory will be forwarded to the iDashboards application by default. This also prevents having to type /idashboards.

Custom 404 Page

Adding this page will sent people to the 404 and then redirect them to the iDashboards application when used in conjunction with the page redirect. Great for people that mistype the URL or people probing for information.

In the directory ROOT/WEB-INF/Web.xml

In the ROOT directory under webbaps/root add a 404.html place what ever HTML you would like in this document.

You will then need to add the following to the bottom of the web.xml document.<error-page> <error-code>404</error-code> <location>/404.html</location></error-page>